Project

General

Profile

Bug #10669

RGW swift API: temp url generated using x-account-meta-temp-url key is working even after the expiry time if a valid auth token is passed.

Added by Ahmad Faheem over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
01/28/2015
Due date:
% Done:

0%

Source:
Q/A
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

In swift if temp url has expired it wont allow accessing the object even if a valid auth token is passed. But ceph is allowing it.

Steps to reproduce:
1. swift post -H "x-account-meta-temp-url-key: secret"
2. generate temp url using python script https://gist.github.com/theanalyst/c9a81e33d27f8a9bafbc. Use 30s expiry time.
3. curl -i "https://10.20.20.15:80/swift/v1/container/file1?temp_url_sig=085e9b07fa067350b66003f6913798b1ba48b9a2&temp_url_expires=1422448176"

HTTP/1.1 200 OK
Date: Wed, 28 Jan 2015 12:29:15 GMT
Server: Apache/2.4.7 (Ubuntu)
Accept-Ranges: bytes
Last-Modified: Wed, 28 Jan 2015 12:14:54 GMT
etag: 49f68a5c8493ec2c0bf489821c21fc3b
Content-Length: 2
Access-Control-Allow-Origin: *
Content-Type: application/octet-stream
Connection: close

4. wait for temp url to get expired. check time with #date +%s and compare it with temp_url_expires value appended in temp-url.
5. curl -i "https://10.20.20.15:80/swift/v1/container/file1?temp_url_sig=085e9b07fa067350b66003f6913798b1ba48b9a2&temp_url_expires=1422448176" -H "X-Auth-Token: 265f853c5adb4f04bceecc29771d71d1"

HTTP/1.1 200 OK
Date: Wed, 28 Jan 2015 12:41:46 GMT
Server: Apache/2.4.7 (Ubuntu)
Accept-Ranges: bytes
Last-Modified: Wed, 28 Jan 2015 12:14:54 GMT
etag: 49f68a5c8493ec2c0bf489821c21fc3b
Content-Length: 2
Access-Control-Allow-Origin: *
Content-Type: application/octet-stream
Connection: close

In swift the last step will throw error "HTTP/1.1 401 Unauthorized"
curl -i "http://10.0.2.15:8080/v1/AUTH_b2419ea9588d49ddbd8c006b5eb199ff/container/file1?temp_url_sig=da84de9504608cee2217f96e3fab4c5e40922660&temp_url_expires=$expires" -H "x-auth-token: 395ba1f54f98488390c068230dd7a292"

HTTP/1.1 401 Unauthorized
Content-Length: 35
Content-Type: text/html; charset=UTF-8
Www-Authenticate: Swift realm="unknown"
X-Trans-Id: tx0bc56658087f48d483d6c-0054c84d37
Date: Wed, 28 Jan 2015 02:45:11 GMT

401 Unauthorized: Temp URL invalid

Also available in: Atom PDF